As is well known, certificates play an essential role in public key cryptography. For example, public key certificates allow public keys to be communicated over unsecured media without danger of undetectable manipulation, thereby ensuring that public key authenticity and validity remain verifiable. Public key certificates are described in, e.g., A. J. Menezes et al., “Handbook of Applied Cryptography,” CRC Press, 1997, which is incorporated by reference herein. A public key certificate typically includes a data part and a signature part. The data part, which is in plaintext form, generally includes at a minimum the public key and a corresponding subject entity identifier, and may include additional information such as specified access rights. The signature part comprises a digital signature of a trusted certification authority (CA) on the data part. By its signature on the data part, the CA vouches for the authenticity of the public key bound to the subject entity. The public key certificate may thus be viewed as assigning an identity as well as specified access rights to the holder of the associated secret key. Such certificates are useful in many applications, including providing secure access to accounts, subscription-based services, and other types of restricted information, and controlling signatory authority for documents.
A significant problem with conventional certificate generation techniques is that the resulting certificates are not secure against “certificate lending.” This refers to a situation in which a certificate holder voluntarily shares with others the rights bestowed upon that holder through the certificate. This type of abuse is of particular concern for several types of applications, such as those involving digital rights management. Moreover, if a given user has multiple secret keys each having a corresponding certificate, it is generally the case that if the user shares a particular one of the certificates with other users, it does not adversely impact any other certificates held by the given user. This feature of conventional certificate techniques tends to encourage certificate lending, thereby aggravating the problem.
A need therefore exists for improved techniques for generating certificates, such that the above-noted certificate lending problem can be alleviated.